Dave Bittner: [00:00:03] COVID-19's effects on cyberspace - disinformation, espionage, data theft, fraud and extortion - also, far greater remote working.
Dave Bittner: [00:00:20] It's time to take a moment to tell you about our sponsor Recorded Future, the real-time threat intelligence company. Recorded Future's patented technology continuously analyzes the entire web to give cybersecurity analysts unmatched insights into emerging threats. We read their dailies at the CyberWire, and you can, too. Sign up for Recorded Future's Cyber Daily email to get the top trending technical indicators crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, much more. Subscribe today and stay ahead of the cyberattacks. They watch the web so you have time to think and make the best decisions possible for your enterprise's security. Subscribe today and stay ahead of cyberattacks. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates from Recorded Future. It's timely. It's solid. And it's on the money. And we thank Recorded Future for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee, security built natively in the cloud for the cloud, to protect the latest, like containers, to empower your change-makers, like developers, and to enable business accelerators, like your teams. Cloud security that accelerates business - it's about time. Go to mcafee.com/time.
Dave Bittner: [00:01:45] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, March 16, 2020.
Dave Bittner: [00:01:54] Today's news is largely about the opportunistic exploitation of coronavirus fears by various threat actors.
Dave Bittner: [00:02:01] First, there's an ongoing Chinese disinformation effort to blame the COVID-19 coronavirus strain on a U.S. biological warfare program. With insinuation and implausible insistence, foreign ministry spokesman Zhao Lijian tweeted Friday that the U.S. Centers for Disease Control's inability to unambiguously identify a U.S. patient zero in some way suggested that the U.S. Army brought the disease to Wuhan, the city where the outbreak was first noticed. CNN reports that the U.S. State Department summoned the Chinese ambassador to Washington for a dressing down over the foreign ministry's remarks.
Dave Bittner: [00:02:42] In this case, the probable goal is opportunistic - deflect blame and discredit an international rival. An epidemic traceable to Wuhan is embarrassing to Beijing, calling into question public health and perhaps sanitation policies and practices.
Dave Bittner: [00:02:58] But why the U.S. Army? Well, the last international Military World Games, an international athletic competition designed to foster goodwill among the world's military services, was held in Wuhan during October of last year, and there was a U.S. team there. And that's the bodyguard of truth this particular lie is receiving. The conspiracy theory will have few takers among serious people, but Russia Today is enjoying the diplomatic dust-up.
Dave Bittner: [00:03:28] In other respects, the COVID-19 pandemic continues to provide raw material for both state-directed and criminal campaigns. The technique has generally been to couple spoofing with coronavirus-themed phishbait, as BAE Systems noted this weekend in an infographic display of recent activity. Some of the threat groups BAE calls out include Transparent Tribe, Gamaredon, Mustang Panda, Operation LagTime IT and Sandworm Olympic Destroyer. Transparent Tribe is a Pakistani operation going after Indian targets using malicious XLS files to deliver the Crimson remote access Trojan, all the while posing as an Indian training company. Malwarebytes has also seen a surge in coronavirus-themed phishing by Pakistan's APT36, and they, too, report that it's pushing the Crimson RAT at Indian targets. The Russian operators behind Gamaredon are impersonating the Ukrainian foreign ministry with the Pterodo back door, delivered via malicious Microsoft Word files. And the GRU's Sandworm is not to be left out. It's spoofing Ukraine's Ministry of Health to distribute a .NET back door. Mustang Panda, a Chinese operation, is using bogus news articles to push the Cobalt Strike stager. Operation LagTime IT, also a Chinese APT, is spoofing the Mongolian Ministry of Health to distribute a Poison Ivy stager. And parties unknown have been impersonating the U.S. Centers for Disease Control, pushing the Remcos RAT.
Dave Bittner: [00:05:07] NBC News summarizes some of the operations FireEye and CrowdStrike are seeing - Russian services working against Ukraine, North Korea against South Korea and Chinese services against targets in Southeast Asia, especially Vietnam. Some of the phishing is unusually persuasive, researchers at Recorded Future told NBC - quote, "these lures have really authentic branding, like they pretend to be from the CDC or the WHO or other really credible groups and then target people based on this seems like a really interesting thing offering me more information in a time that has so much information," end quote.
Dave Bittner: [00:05:46] Workforce development firm CyberVista has been exploring innovative approaches to help close the cybersecurity employment gap, as well as keeping current employees informed on the latest developments. Simone Petrella is CEO and founder of CyberVista, and we caught up at the RSA Conference.
Simone Petrella: [00:06:04] So the Choose Your Own Adventure was really to give people a interactive way to think about training and get a little bit of a taste of the experience of what it's like to do an assessment first, really get results in real time that then demonstrates where, from a personal plan perspective, you need to train. And the way that we would start is you would take about an hourlong test, but you would get real-time results based on your performance on that that would break down the actual skills gaps that you have in your knowledge, which we then could use to compare to either the role that you are currently in, to establish if you are appropriately, you know, performing at that level, or can actually compare that against aspirational roles to identify what training or upskilling is required to move someone to that next level. And so, really, it allows a lot of personalized pathways based on the results. And that's what we do with a lot of our customers and companies.
Dave Bittner: [00:07:10] When you're hearing with folks across the industry and they're coming to you and expressing the things that they think are working and the things that they're frustrated with when it comes to training in general, what sort of stories are being told to you?
Simone Petrella: [00:07:25] What's not working is the cost model of the way that we train today, for sure.
Dave Bittner: [00:07:32] OK.
Simone Petrella: [00:07:32] What, you know, we hear from employers is that not only is it costly, but it's impossible to tie the training or the career development opportunities that they give to staff back to what they're actually doing in their employment spaces. So it's being utilized as a retention tool in many cases, and there are things that are effective as retention measures, but it's not actually meeting the organizational need to have qualified people in those positions. So there's, like, kind of a gap in the return on investment in the expenditure you make on employer programs, especially in, you know, security training, and what that means when you bring them back into the workplace.
Dave Bittner: [00:08:12] Yeah. I mean, it strikes me that, you know, everyone's trying to do less - or do more with less, of course, and maximize what their employees are achieving in the workplace. But I don't suspect there are many employees who say to themselves, oh, goody, more training that doesn't have directly to do with the things that I do day to day. And so often, security is kind of one of those side things. I'm curious. From a culture point of view, do you have any advice for companies of how they can establish a culture that places value on these things in a way that the employees are going to buy in?
Simone Petrella: [00:08:50] Yeah. First and foremost, it needs to be a culture and an expectation of accountability that's set at the top of the organization. Employers really have to take charge of solving this problem. This is not going to come out of academia. It's not going to come out of companies, even like mine, that are doing training and education development. They really have to take the lead in investing the time, the prioritization and the resources in defining what they need so that companies can come up with solutions that actually meet that kind of new economy skill requirement for us within the security space.
Dave Bittner: [00:09:27] That's Simone Petrella from CyberVista.
Dave Bittner: [00:09:30] Criminal gangs are also using COVID-19 as phishbait - fearware, the Independent calls it, quoting Darktrace and other security firms - and the criminals are doing so in predictable ways, with phishing, fraud and ransomware, mostly. The relative novelty of the topic lends itself to crafting emails that bypass some of the common spam filters many people have in place.
Dave Bittner: [00:09:53] The coronavirus is a popular topic of discussion in the cyber underworld, where criminals interested in exploiting current fear are buying commodity tools they can easily repurpose for their campaigns. Little technical skill is involved in using such off-the-shelf malware.
Dave Bittner: [00:10:10] Ransomware operators, a significant subset of the cyber underworld, are also using the pandemic as an opportunity to hit health care organizations responding to the virus. It's consistent with general criminal practice; find a victim that really depends on the availability of their data. Last week, a public health authority in central Illinois was hit. More recently, a major provider of coronavirus testing, University Hospital Brno in the Czech Republic, was also a ransomware victim. CyberScoop reports that the incident is still under investigation, and it's not yet clear how extensive or disruptive the effects of the attack will prove to be. But there's a clear lesson in such attacks that should shape our expectations. Data is valuable during crisis response, and when data is valuable, it draws the attention of criminals. What others see as crisis and misfortune the criminals simply see as opportunity.
Dave Bittner: [00:11:07] There's much advice on offer about securing telework. The U.S. Cybersecurity and Infrastructure Security Agency, CISA, recommends virtual private networks, VPNs, with advice on how to use them securely and effectively. This is important because as VPNs rise in importance, they become attractive targets for criminals. CISA recommends updating VPNs and associated systems used for remote work so they've got the latest patches and sound security configurations. Employees should be warned to expect more phishing attempts. Security teams should dust off their plans for log review, attack detection and incident response and recovery. Use multifactor authentication and strong passwords. And, before it becomes a problem, test the limitations of your system and plan for higher usage. You can find CISA's recommendations online.
Dave Bittner: [00:11:58] On that last point - the increased traffic the internet will have to carry during the pandemic - The Washington Post offers some grounds for measured optimism. In the U.S., at least, and much the same is, no doubt, happening elsewhere, major ISPs have put measures in place to accommodate increased demand. But prepare to avoid some higher-bandwidth applications if you run into problems. Be content, for example, with audio, as opposed to audio and video, when audio alone will do. That hardly seems like too much of a sacrifice for most organizations.
Dave Bittner: [00:12:32] Are people, in fact, using VPNs more? According to an Atlas VPN report, they are. There's been a global surge in VPN use. Italy leads with a 112% increase in VPN usage last week. The U.S. is second, with a 53% spike.
Dave Bittner: [00:12:55] And now a word from our sponsor LookingGlass Cyber. Organizations have been playing a dangerous game of cyber Jenga, stacking disparate security tools, point solutions and boxes one on top of the other, hoping to improve their security posture. This convoluted and overloaded security stack can't hold up in today's microsegmented, borderless and distributed networks. As the enterprise network grows, organizations need a flexible protection around their unique network ecosystems. By weaving security into the investments your organization has already made, formerly disjointed tools can communicate with one another to disrupt and distract the adversary without revealing your defenses. With a software-based approach to unifying your security stack, security teams can easily scale their protection to fit their needs with one integrated software solution requiring no specialty hardware. Meet the Aeonik Security Fabric. Learn more at lookingglasscyber.com. That's lookingglasscyber.com. And we thank LookingGlass Cyber for sponsoring our show.
Dave Bittner: [00:14:08] And joining me once again is David Dufour. He's the vice president of cybersecurity and engineering at Webroot. David, it's always great to have you back. You and your team recently published your 2020 Threat Report. Take us through what were some of the findings here.
David Dufour: [00:14:23] Yes. Great to be back, David. As you say, we came out with our Threat Report. A lot of the findings I think people are not going to be surprised about. Phishing remains to be a big deal - ransomware. But there are some things where we're seeing really targeted attacks on certain Windows versions and things like that.
Dave Bittner: [00:14:41] Well, let's go through some of the details. What did you find?
David Dufour: [00:14:43] So phishing sites - we saw actual phishing grow at about a 640% increase over last year.
Dave Bittner: [00:14:52] Wow.
David Dufour: [00:14:52] And what that equates to is we're now seeing almost 1% of all websites on the internet have phishing URLs. So somewhere embedded in those websites, we're seeing phishing URLs. And so it's continuing to become a prolific problem. It's very common everywhere. And I think we're all familiar with phishing, but it's something we've got to stay vigilant with.
Dave Bittner: [00:15:16] And that prevalent because it works, I suppose.
David Dufour: [00:15:19] Well, it really does work. And one of the big things we're seeing - about a quarter - about 27% of those phishing sites, they're implementing SSL or TLS so that if you have an HTTPS connection - and I know you and I have talked about this before, but it's super important that people don't trust that beautiful green lock in the browser.
Dave Bittner: [00:15:39] Right.
David Dufour: [00:15:40] You want it, but if you - so if you don't have it, you should be wary. But just because you see that green lock, that doesn't mean that you're actually safe. You know, the phishers are able to get out there. There's really been a proliferation of the ability to get SSL certificates, and they're - the phishing sites - almost any good phisher is using those now.
Dave Bittner: [00:16:01] What other things did you cover here in the report?
David Dufour: [00:16:05] A couple of them super, super important around Windows 7. You know, Microsoft's not supporting that, haven't been for a while. We've seen 125% uptick in attacks directed specifically at Windows 7 machines, so older machines. A lot of manufacturing - we're seeing a lot of manufacturing where they don't necessarily upgrade the machines or even update them. So a lot of folks, if you're running older versions of Windows, you have to be very, very cognizant of what's going on, which kind of leads into our final point on consumers remaining to be nearly twice as high in infection rates than businesses. And we're seeing a lot of that because - simply because consumers are using machines longer. This is really an interesting stat, actually, David. Most machines that get infected, more than a third of them are infected at least three times. And 10% of the machines that we see that are infected get infected six times or more.
David Dufour: [00:17:03] Now, what does that mean? That probably points to bad, you know, practices by those folks using those machines, clicking the links - the phishing links and things like that when they come in. So, really, it's across the board, if you've got older machines, make sure you're updating them. And then really pay attention to what you're doing. And somehow, we have to start educating the consumers more.
Dave Bittner: [00:17:24] Yeah. It seems to me like it's easy to have this philosophy that, you know, if it ain't broke, don't fix it, particularly when it comes to - I can see home users, a lot of my friends and family - everything seems to be working fine. But I suppose these days, you've got to keep going with those updates.
David Dufour: [00:17:41] You absolutely do. And unfortunately, when an operating system is no longer supported, you do need to think about getting a new machine, even if it's doing what you need, if that machine is doing something important to you, like you're banking on it or things of that nature.
Dave Bittner: [00:17:57] Yes. I suppose even, you know, gifting your loved ones a new computer for a birthday or for the holidays or something like that - that could be a way that you can help keep them secure and up to date.
David Dufour: [00:18:08] That's absolutely correct, because as we always say, David, there's three real things you want to do with any machine to stay, you know, the minimum, which is, you know, have an antivirus, make sure you're backing up. But that third one is make sure you're patching. And getting someone a newer computer ensures they're getting the latest patches for that operating system, which really does provide that No. 1 protection from exploits and things like that.
Dave Bittner: [00:18:32] All right. Well, David Dufour, thanks for joining us.
David Dufour: [00:18:34] Great being here, David.
Dave Bittner: [00:18:40] And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It will save you time and keep you informed. Listen for us on your Alexa smart speaker, too.
Dave Bittner: [00:18:59] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:19:11] Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security, Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence. And every week, we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.
Dave Bittner: [00:19:40] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team - working from home - is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Take care of yourselves. Take care of each other. Stay safe. Thanks for listening. We'll see you tomorrow.